NAST – Network Analyzer Sniffer Tool

NAME

DESCRIPTION

Nast is a packet sniffer and a LAN analyzer based on Libnet and
Libpcap.
It can sniff in normal mode or in promiscuous mode the packets on a
network interface and log it. It dumps the headers of packets and the
payload in ascii or ascii-hex format. You can apply a filter. The
sniffed data can be saved in a separated file.
As analyzer tool, it has many features like:
* Build LAN hosts list
* Follow a TCP-DATA stream
* Find LAN Internet gateways
* Discover promiscuous nodes
* Reset an established connection
* Perform a single half-open portscanner
* Perform a multi half-open portscanner
* Find link type (hub or switch)
* Catch daemon banner of LAN nodes
* Control ARP answers to discover possible ARP-spoofing
* Byte counting with an optional filter
* Write reports logging
It also provides a new ncurses interface.

ANALYZERFEATURES

-P,--check-promisc<ip>
Check other NIC on the LAN with the promiscuous flag set.
By performing a fake ARP broadcast, we can determine if a NIC is
in promiscuous mode or not. If the checked host is in
promiscuous mode it will responds with an ARP response otherwise
it drop the packet.
Note: This method doesn't work with all OS
Use -Pall to query all network NIC
eg: root@localhost:~/$ nast -P 192.168.1.2
NAST "NETWORK ANALYZER SNIFFER TOOL"
192.168.1.2 (localhost.org) Found!!
We can check all nodes by using:
root@localhost:~/$ nast -P all
-m,--host-list
Map the LAN by performing a series of ARP request to sequential
subnet IP addresses.
eg: root@localhost:~/$ nast -m
NAST "NETWORK ANALYZER SNIFFER TOOL"
Mapping the Lan for 255.255.255.0 subnet ... please wait
MAC address IP address (hostname)
===========================================================
00:4R:BR:3E:21:12 192.168.1.1(nast.experiment.net)
00:50:BA:80:AC:11 192.168.1.2 (localhost.org) (*)
(*) This is localhost
-s,--tcp-stream
Follow a TCP/IP connection printing all data in payload. You
must specify the IP addresses of the ends.
eg of a ftp connection:
root@localhost:~/$ nast -s
NAST "NETWORK ANALYZER SNIFFER TOOL"
Type connection extremes
------------------------
1st ip : 192.168.1.1
1st port : 1041
2nd : 192.168.1.2
2nd port : 21
NAST TCP STREAM LOG
192.168.1.1->mistaya.neverland.org
PASV
192.168.1.1<-mistaya.neverland.org
227 Entering Passive Mode (192,168,1,2,4,12).
192.168.1.1->mistaya.neverland.org
LIST
(...)
-g,--find-gateway
Try to find possible Internet-gateways.
We send a SYN packet to a public host on port 80 through
sequential host-lan and if a SYN-ACK return we have find the
gateway.
-r,--reset-connection
Destroy an established connection. You must specify the IP
addresses of the ends and at least one port . Please, pay
attention when use this function.
eg: root@localhost:~/$ nast -r
NAST "NETWORK ANALYZER SNIFFER TOOL"
Type connection extremes
------------------------
1 ip / hostname : 192.168.1.1
1 port (0 to autodetect) : 0
2 ip / hostname : 192.168.1.2
2 port (0 to autodetect) : 21
- Waiting for SEQ ACK (192.168.1.1 -> 192.168.1.2:21)
- Stoled SEQ (247656261) ACK (3764364876)...
- Connection has been resetted
This feature works only if we can read SEQ and ACK numbers,
because RST mechanism works with them.
-S,--port-scanner
Performs a half-open port scanning on the selected host. It
tries also to determine some firewall (just iptables) rules.
About this technique NMAP says: This technique is often referred
to as "half-open" scanning, because you don't open a full TCP
connection. You send a SYN packet, as if you are going to open
a real connection and you wait for a response. A SYN|ACK
indicates the port is listening. A RST is indicative of a non-
listener. If a SYN|ACK is received, a RST is immediately sent
to tear down the connection (actually our OS kernel does
this for us). The primary advantage to this scanning technique
is that fewer sites will log it. Unfortunately you need root
privileges to build these custom SYN packets.
eg: root@localhost:~/$ nast -S
NAST "NETWORK ANALYZER SNIFFER TOOL"
Port Scanner extremes
Insert IP to scan : 192.168.1.3
Insert Port range : 1-100
Wait for scanning...
State Port Services Notes
Open 22 ssh None
Open 27 nsw-fe None
All the other 98 ports are in state closed
Scanning terminated on Apr 14 21:46:55
The Port range could be in the following style:
eg: 1-100 (means from port 1 to 100)
1,3,5,1000 (means ports 1,3,5 and 1000)
1-50,60 (means from port 1 to 50 and port 60)
-M,--multi-port-scanner
Same as above but done on all hosts of the lan.
-L,--find-link
Tries to determine what type of link is used in the LAN (Hub or
switch).
In the LAN segment is there a HUB or a SWITCH? We can find it by
sending a spoofed ICMP echo-request (to work there must be at
least 3 host in LAN and at least one of them must reply with a
ICMP echo-replay)
-b,--daemon-banner
Checks the most famous daemon banner on the LAN's hosts.
You can customize ports database adding them to ports[] variable
in main.c
-c,--check-arp-poisoning
Control ARP answers to discover possible ARP spoofing attacks
like man-in-the-middle
When run, Nast make a database of all network node (IP and MAC
address), then sniff ARP response and verify the correctness of
IP-mac address association. Remember to execute Nast when you
are sure that nobody is making ARP-poisoning, than have fun and
relax and check program output:).
-C,--byte-counting<"filter">
Apply traffic counting to <"filter"> (see FILTER SYNTAX section
below for syntax)
Use -Cany if you don't want to use a filter.
eg: root@localhost:~/$ nast -C any
NAST "NETWORK ANALYZER SNIFFER TOOL"
Reading from "eth0"
Packets Total Current speed Average
speed
----------------------------------------------------------------
- 24 1008B 18B/s 21B/s

GENERALOPTIONS

-G,--ncurses
Run Nast with the ncurses interfaces (only if compiled with
ncurses support)
-l,--log-file<filename>
Log reports to <filename>. Work with many features.
-B,--daemon
Run in background like daemon and turn off stdout (very useful
for sniffer/stream/ARP control logging)
-V,--version
Show version information

NCURSESINTERFACENOTE

Versions later 0.2.0 have a new ncurses interface which has many
improvements regarding the correspondent command line version. For
example you can select the connection interactively for tcp stream and
reset features and byte counting module show much more information
(packets type and connections load).
Please read NCURSES_README file before using the ncurses interface!

FILTERSYNTAX,WHATPCAPGIVEUS!

Important: this section has been copied from Tcpdump 3.7.1 manpage and
"expression" here stand from "filter".
Remeber to enclose filter between apexes ("something like this")
expression
selects which packets will be dumped. If no expression is
given, all packets on the net will be dumped. Otherwise, only
packets for which expression is `true' will be dumped.
The expression consists of one or more primitives. Primitives
usually consist of an id (name or number) preceded by one or
more qualifiers. There are three different kinds of qualifier:
type qualifiers say what kind of thing the id name or number
refers to. Possible types are host, net and port. E.g.,
`host foo', `net 128.3', `port 20'. If there is no type
qualifier, host is assumed.
dir qualifiers specify a particular transfer direction to
and/or from id. Possible directions are src, dst, srcordst and srcanddst. E.g., `src foo', `dst net 128.3',
`src or dst port ftp-data'. If there is no dir
qualifier, srcordst is assumed. For `null' link layers
(i.e. point to point protocols such as slip) the inbound
and outbound qualifiers can be used to specify a desired
direction.
proto qualifiers restrict the match to a particular protocol.
Possible protos are: ether, fddi, tr, ip, ip6, arp, rarp,
decnet, tcp and udp. E.g., `ether src foo', `arp net
128.3', `tcp port 21'. If there is no proto qualifier,
all protocols consistent with the type are assumed.
E.g., `src foo' means `(ip or arp or rarp) src foo'
(except the latter is not legal syntax), `net bar' means
`(ip or arp or rarp) net bar' and `port 53' means `(tcp
or udp) port 53'.
[`fddi' is actually an alias for `ether'; the parser treats them
identically as meaning ``the data link level used on the
specified network interface.'' FDDI headers contain Ethernet-
like source and destination addresses, and often contain
Ethernet-like packet types, so you can filter on these FDDI
fields just as with the analogous Ethernet fields. FDDI headers
also contain other fields, but you cannot name them explicitly
in a filter expression.
Similarly, `tr' is an alias for `ether'; the previous
paragraph's statements about FDDI headers also apply to Token
Ring headers.]
In addition to the above, there are some special `primitive'
keywords that don't follow the pattern: gateway, broadcast,
less, greater and arithmetic expressions. All of these are
described below.
More complex filter expressions are built up by using the words
and, or and not to combine primitives. E.g., `host foo and not
port ftp and not port ftp-data'. To save typing, identical
qualifier lists can be omitted. E.g., `tcp dst port ftp or ftp-
data or domain' is exactly the same as `tcp dst port ftp or tcp
dst port ftp-data or tcp dst port domain'.
Allowable primitives are:
dsthosthost
True if the IPv4/v6 destination field of the packet is
host, which may be either an address or a name.
srchosthost
True if the IPv4/v6 source field of the packet is host.
hosthost
True if either the IPv4/v6 source or destination of the
packet is host. Any of the above host expressions can be
prepended with the keywords, ip, arp, rarp, or ip6 as in:
iphosthost
which is equivalent to:
etherproto\ipandhosthost
If host is a name with multiple IP addresses, each
address will be checked for a match.
etherdstehost
True if the ethernet destination address is ehost. Ehost
may be either a name from /etc/ethers or a number (see
ethers(3N) for numeric format).
ethersrcehost
True if the ethernet source address is ehost.
etherhostehost
True if either the ethernet source or destination address
is ehost.
gatewayhost
True if the packet used host as a gateway. I.e., the
ethernet source or destination address was host but
neither the IP source nor the IP destination was host.
Host must be a name and must be found both by the
machine's host-name-to-IP-address resolution mechanisms
(host name file, DNS, NIS, etc.) and by the machine's
host-name-to-Ethernet-address resolution mechanism
(/etc/ethers, etc.). (An equivalent expression is
etherhostehostandnothosthost
which can be used with either names or numbers for host/ehost.) This syntax does not work in IPv6-enabled
configuration at this moment.
dstnetnet
True if the IPv4/v6 destination address of the packet has
a network number of net. Net may be either a name from
/etc/networks or a network number (see networks(4) for
details).
srcnetnet
True if the IPv4/v6 source address of the packet has a
network number of net.
netnet
True if either the IPv4/v6 source or destination address
of the packet has a network number of net.
netnetmasknetmask
True if the IP address matches net with the specific
netmask. May be qualified with src or dst. Note that
this syntax is not valid for IPv6 net.
netnet/len
True if the IPv4/v6 address matches net with a netmask
len bits wide. May be qualified with src or dst.
dstportport
True if the packet is ip/tcp, ip/udp, ip6/tcp or ip6/udp
and has a destination port value of port. The port can
be a number or a name used in /etc/services (see tcp(4P)
and udp(4P)). If a name is used, both the port number
and protocol are checked. If a number or ambiguous name
is used, only the port number is checked (e.g., dstport513 will print both tcp/login traffic and udp/who
traffic, and portdomain will print both tcp/domain and
udp/domain traffic).
srcportport
True if the packet has a source port value of port.
portport
True if either the source or destination port of the
packet is port. Any of the above port expressions can be
prepended with the keywords, tcp or udp, as in:
tcpsrcportport
which matches only tcp packets whose source port is port.
lesslength
True if the packet has a length less than or equal to
length. This is equivalent to:
len<=length.greaterlength
True if the packet has a length greater than or equal to
length. This is equivalent to:
len>=length.ipprotoprotocol
True if the packet is an IP packet (see ip(4P)) of
protocol type protocol. Protocol can be a number or one
of the names icmp, icmp6, igmp, igrp, pim, ah, esp, vrrp,
udp, or tcp. Note that the identifiers tcp, udp, and
icmp are also keywords and must be escaped via backslash
(\), which is \\ in the C-shell. Note that this
primitive does not chase the protocol header chain.
ip6protoprotocol
True if the packet is an IPv6 packet of protocol type
protocol. Note that this primitive does not chase the
protocol header chain.
ip6protochainprotocol
True if the packet is IPv6 packet, and contains protocol
header with type protocol in its protocol header chain.
For example,
ip6protochain6
matches any IPv6 packet with TCP protocol header in the
protocol header chain. The packet may contain, for
example, authentication header, routing header, or hop-
by-hop option header, between IPv6 header and TCP header.
The BPF code emitted by this primitive is complex and
cannot be optimized by BPF optimizer code in tcpdump, so
this can be somewhat slow.
ipprotochainprotocol
Equivalent to ip6protochainprotocol, but this is for
IPv4.
etherbroadcast
True if the packet is an ethernet broadcast packet. The
ether keyword is optional.
ipbroadcast
True if the packet is an IP broadcast packet. It checks
for both the all-zeroes and all-ones broadcast
conventions, and looks up the local subnet mask.
ethermulticast
True if the packet is an ethernet multicast packet. The
ether keyword is optional. This is shorthand for
`ether[0]&1!=0'.
ipmulticast
True if the packet is an IP multicast packet.
ip6multicast
True if the packet is an IPv6 multicast packet.
etherprotoprotocol
True if the packet is of ether type protocol. Protocol
can be a number or one of the names ip, ip6, arp, rarp,
atalk, aarp, decnet, sca, lat, mopdl, moprc, iso, stp,
ipx, or netbeui. Note these identifiers are also
keywords and must be escaped via backslash (\).
[In the case of FDDI (e.g., `fddiprotocolarp') and
Token Ring (e.g., `trprotocolarp'), for most of those
protocols, the protocol identification comes from the
802.2 Logical Link Control (LLC) header, which is usually
layered on top of the FDDI or Token Ring header.
When filtering for most protocol identifiers on FDDI or
Token Ring, tcpdump checks only the protocol ID field of
an LLC header in so-called SNAP format with an
Organizational Unit Identifier (OUI) of 0x000000, for
encapsulated Ethernet; it doesn't check whether the
packet is in SNAP format with an OUI of 0x000000.
The exceptions are iso, for which it checks the DSAP
(Destination Service Access Point) and SSAP (Source
Service Access Point) fields of the LLC header, stp and
netbeui, where it checks the DSAP of the LLC header, and
atalk, where it checks for a SNAP-format packet with an
OUI of 0x080007 and the Appletalk etype.
In the case of Ethernet, tcpdump checks the Ethernet type
field for most of those protocols; the exceptions are
iso, sap, and netbeui, for which it checks for an 802.3
frame and then checks the LLC header as it does for FDDI
and Token Ring, atalk, where it checks both for the
Appletalk etype in an Ethernet frame and for a SNAP-
format packet as it does for FDDI and Token Ring, aarp,
where it checks for the Appletalk ARP etype in either an
Ethernet frame or an 802.2 SNAP frame with an OUI of
0x000000, and ipx, where it checks for the IPX etype in
an Ethernet frame, the IPX DSAP in the LLC header, the
802.3 with no LLC header encapsulation of IPX, and the
IPX etype in a SNAP frame.]
decnetsrchost
True if the DECNET source address is host, which may be
an address of the form ``10.123'', or a DECNET host name.
[DECNET host name support is only available on Ultrix
systems that are configured to run DECNET.]
decnetdsthost
True if the DECNET destination address is host.
decnethosthost
True if either the DECNET source or destination address
is host.
ip, ip6, arp, rarp, atalk, aarp, decnet, iso, stp, ipx, netbeui
Abbreviations for:
etherprotop
where p is one of the above protocols.
lat, moprc, mopdl
Abbreviations for:
etherprotop
where p is one of the above protocols. Note that tcpdump
does not currently know how to parse these protocols.
vlan[vlan_id]
True if the packet is an IEEE 802.1Q VLAN packet. If
[vlan_id] is specified, only true is the packet has the
specified vlan_id. Note that the first vlan keyword
encountered in expression changes the decoding offsets
for the remainder of expression on the assumption that
the packet is a VLAN packet.
tcp, udp, icmp
Abbreviations for:
ipprotoporip6protop
where p is one of the above protocols.
isoprotoprotocol
True if the packet is an OSI packet of protocol type
protocol. Protocol can be a number or one of the names
clnp, esis, or isis.
clnp, esis, isis
Abbreviations for:
isoprotop
where p is one of the above protocols. Note that tcpdump
does an incomplete job of parsing these protocols.

EXAMPLES

Here are some examples of the use of NAST:
nast-f"src192.168.1.2"
In this example with the help of the filter we choose to see only the
traffic from 192.168.1.2
nast-p-B--ldlogfile.txt
Here we run nast in background mode and log all data that pass through
our NIC.
nast-S-llogfile.txt
In this other case we log the results of the port scanner in the file
"logfile.txt"
nast-c-B
This is a very useful options. We run in background mode nast that
checks if someone is arp-poisoning.